Sie sind auf Seite 1von 31

TARGETED SAFETY REVIEW

Version: 1

Paks Nuclear Power Plant Ltd. Units 1-4.

TARGETED SAFETY REVIEW SUMMARY OF THE PROGRESS REPORT

Paks, 15 August 2011

TARGETED SAFETY REVIEW

Version: 1

TABLE OF CONTENTS
FOREWORD ...............................................................................................................................4 1. 1.1 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.2 1.2.1 1.2.2 1.2.3 1.2.4 1.3 2. 2.1 2.2 2.3 2.4 2.5 2.6 3. THE SITE AND MAIN CHARACTERISTICS OF THE PLANT ........................................................7 BASIC INFORMATION ...................................................................................................7 Location and surroundings .................................................................................7 Number of units .................................................................................................8 Licence holder ...................................................................................................9 Type and power of reactors ................................................................................9 Dates of commissioning .....................................................................................9 Characteristics of the spent fuel pools ................................................................9 External electrical connections ......................................................................... 11 Differences between the units relevant to safety and the review ....................... 12 SITE-SPECIFIC EXTERNAL NATURAL HAZARDS ............................................................ 14 Earthquakes ..................................................................................................... 14 Flooding .......................................................................................................... 16 Low level of the River Danube......................................................................... 16 Extreme weather conditions ............................................................................. 17 FINDINGS OF EARLIER PROBABILISTIC SAFETY ASSESSMENTS ...................................... 17 REVIEW RESULTS ............................................................................................................ 20 LONG-DURATION TOTAL LOSS OF THE ELECTRICAL POWER SUPPLY ............................. 21 LOSS OF THE ULTIMATE HEAT SINK ............................................................................ 22 VULNERABILITY OF THE CONTAINMENT FUNCTION TO EXTERNAL EVENTS THAT EXCEED THOSE IN THE DESIGN BASIS .......................................................................... 24 SEVERE ACCIDENT SEQUENCES LEADING TO SIGNIFICANT RADIOACTIVE RELEASES ...... 25 ACCIDENT MANAGEMENT MITIGATING THE CONSEQUENCES OF UNCONTROLLED KEY EVENTS ..................................................................................................................... 26 SITE EMERGENCY PROCEDURES FOR MANAGING THE CONSEQUENCES OF UNCONTROLLED KEY EVENTS .................................................................................... 27 EXECUTIVE SUMMARY .................................................................................................... 29

LIST OF ABBREVIATIONS .......................................................................................................... 31

CBF_EJ_Eng

2011

Page 2 of 31

TARGETED SAFETY REVIEW

Version: 1

TABLES
Table 1.1-1: Table 1.1-2: Main process parameters..................................................................9 Status of plant modifications for severe accident management and the schedule for implementation .................................................... 13

FIGURES
Fig. 1.1-1: Fig. 1.1-2: Fig. 1.1-3: Fig. 1.1-4: Fig. 1.1-5: Fig. 1.1-6: Fig. 1.1-7: Fig. 1.2.1-1: Location of Paks nuclear power plant...............................................7 General view of the site ...................................................................8 General view of Paks NPP ...............................................................8 The operational and spare storage racks of the spent fuel pool........ 10 The 400 kV substation ................................................................... 11 The Hungarian national grid .......................................................... 12 The Ukrainian and Hungarian diesel generators ............................. 13 The seismic hazard curves ............................................................. 14

CBF_EJ_Eng

2011

Page 3 of 31

TARGETED SAFETY REVIEW

Version: 1

Foreword
A severe reactor accident took place in March 2011 at the Fukushima Dai-ichi nuclear power plant in Japan, caused by an extremely large tsunami that followed the largest earthquake in Japans written history. The earthquake, of magnitude 9 on the Richter scale, occurred in the seabed about 130 km from the shore, at a depth of 24 km. Ground level acceleration at the plant exceeded the limits set in the plants design basis1. As a consequence, the units in operation were shut down. The electrical grid was seriously damaged by the earthquake and the outside electricity supply to the plant ceased. The emergency supply was taken over automatically by the plants diesel generators, cooling the shut-down reactors and the spent fuel storage pools. About 50 minutes after the earthquake, a tsunami reached the plant site and the water level significantly exceeded the maximum planned for in the design basis. The surroundings of the site were completely destroyed. Equipment was flooded and the diesel generators became inoperable. The electricity supply to the units was completely lost. Since the heat production of the units was still significant but lacked the necessary cooling, the cooling water boiled away and the fuel assemblies dried out and partially melted down. The hydrogen generated by the overheated fuel assemblies was removed to the reactor halls of Units 1, 2 and 3 in the course of depressurization, and later it exploded there. The reactor buildings of Units 1, 2, 3 and 4 were severely damaged, leading to the release of a significant amount of radioactive material into the environment. Later, the loss of cooling for the spent fuel storage pools led to damage of the fuel assemblies. The contamination resulted in high local radioactive dose rates at the site that made accident management and civil defence activities very difficult. In order to minimize health effects to the population, the Japanese authorities ordered the evacuation of the region within a distance of 3 km from the plant, later 10 km, before the significant releases into the environment. The evacuated area was increased to a 30 km circle and civilians, even now, have only limited access to this area. Due to the huge, disciplined and self-sacrificing effort of the staff, the situation in the reactor units and storage pools was finally stabilised when the electricity supply was restored and the necessary equipment became available, significantly reducing the danger of further large radioactive releases. However, the reactors of Units 1 to 4 have been lost forever. Decontamination of the site and its surroundings will probably take years or even decades. The accident had a severe effect on the Japanese economy and eroded trust in the safety of nuclear power plants worldwide, which had gradually been increasing in recent years. European countries initially reacted in various ways to the Fukushima accident, but while the struggle of the Fukushima staff to prevent the accident and mitigate its consequences was still in full sway, a debate had already started on developing a uniform European response.

The design basis is the range of conditions and events taken explicitly into account in the design of a facility so that it is able to withstand them through the planned operation of its safety systems without exceeding authorized limits. The conditions and events in the design basis are chosen in accordance with established criteria. Events of very low probability are excluded from the design basis, but they still have to be considered and analysed.

CBF_EJ_Eng

2011

Page 4 of 31

TARGETED SAFETY REVIEW

Version: 1

The national nuclear authorities responsible for decisions related to licensing nuclear power plants (NPPs) agreed unanimously to test the reactors under their auspices in a uniform manner. (This process was given the misleading name stress test, taken from the banking business, but in this report it is referred to as a targeted safety review.) The uniform European viewpoint is based on an agreement that the nuclear authorities prepare national reports on the basis of reports from each of their NPPs. The national reports should review the status of the plants and determine any necessary measures to be taken. To provide a uniform framework for this evaluation, its content was specified and it was decided there should be a peer review process for the national reports. The nuclear industry investigates in detail any unexpected event or accident to prevent similar events or decrease their frequency. As a result, the safety level of NPPs has reached a very high level. This is why the severe consequences of the Fukushima accident came as such a surprise. The accident called attention to the following weaknesses: failure to update the design basis regarding natural events, catastrophic consequences of natural events that exceeded those planned for in the design basis, long-term loss of the electricity supply, long-term loss of the ultimate heat sink, hydrogen explosions during the severe accident in the reactors, damage to the spent fuel stored in the storage pool, initial problems with the functioning of the emergency response teams. It is important to ask what would happen in a similar situation at other NPPs. The targeted safety review has therefore to answer the following questions: Was the plants design basis properly specified with respect to potential natural events at the given site? How would the plant react to external natural events that exceed those planned for in the design bases? Could a long-term loss of the electricity supply occur and what would be its consequences? Could a long-term loss of the ultimate heat sink occur and what would be its consequences? Is the plant properly prepared to prevent a severe accident of the reactors and storage pools, and to mitigate such an accident should it happen? Is the emergency response organisation of the plant properly prepared to manage such events, occurring singly or in combination, and for accidents that could propagate to every reactor and storage pool at the site? The reference date for the targeted safety review is June 30, 2011, and the report should contain recommendations to address any deficiencies found. In accordance with the agreement, on May 2, 2011 the Hungarian Atomic Energy Authority (HAEA) gave instructions for a targeted safety review of Paks NPP. Paks NPP was required to submit a progress report by August 15, 2011, and the final report must be completed by October 31.

CBF_EJ_Eng

2011

Page 5 of 31

TARGETED SAFETY REVIEW

Version: 1

The progress report has been completed (in Hungarian), and its contents are summarised in this document. Taking account of the plants report, HAEA will evaluate the targeted safety review, its findings and any statements made. If required, HAEA will determine any necessary safety enhancement measures. On the basis of the plants review, HAEA will prepare the national report to be submitted by the Hungarian government to the European Commission.

CBF_EJ_Eng

2011

Page 6 of 31

TARGETED SAFETY REVIEW

Version: 1

1. The site and main characteristics of the plant


1.1 Basic information
1.1.1 Location and surroundings
The Paks NPP site is located about 5 km south of the town of Paks, 114 km south of Budapest. It is 1 km west of the Danube River, and 1.5 km east of national road no. 6 (Fig. 1.1-1). The elevation of the site is 97.00 m above the Baltic Sea level. The coordinates of the centre of the site are: 46 34 43.05 N; 18 51 09.56 E.

Fig. 1.1-1:

Location of Paks nuclear power plant

The area within a radius of 3 km directly around the site comprises the operational site itself with a spare area, fishing lakes, forests, and connecting roads. The wider area around the plant, with a radius of 30 km, is mostly agricultural fields with scattered villages and towns. Fig. 1.1-2 shows the general layout of the site.

CBF_EJ_Eng

2011

Page 7 of 31

TARGETED SAFETY REVIEW

Version: 1

Coolliing Coo ng watter wa er

Riiver R ver Danube Danube

Spare siitte Spare s e

Diischarge D scharge watter wa er

Exiisttiing Ex s ng uniitts un s

Fig. 1.1-2:

General view of the site

1.1.2

Number of units

The site accommodates four reactor units. The individual reactors are installed in twin-unit buildings, each with two reactors. A general view of the plant can be seen in Fig. 1.1-3.

Fig. 1.1-3:

General view of Paks NPP

CBF_EJ_Eng

2011

Page 8 of 31

TARGETED SAFETY REVIEW

Version: 1

1.1.3

Licence holder

The licence holder is the Paks NPP Joint Stock Company (Paks NPP Ltd), which has been operating in its current legal form since April 14, 2006. The majority owner of the company is the state owned Hungarian Power Companies Ltd with a total equity of more than 99.99%.

1.1.4

Type and power of reactors

Each of the four units is a VVER-440/V-213 power reactor, cooled and moderated with light water, and each has a thermal output power of 1,485 MW. The individual electrical capacity of each reactor unit is 500 MW, giving a total electrical capacity of approximately 2,000 MW. The nominal power of 500 MW was reached after two major steps of power uprating from the original 440 MW. Table 1.1-1 gives the nominal values of the main process parameters. Table 1.1-1: Main process parameters
Parameter Reactor thermal power Primary coolant flow rate Primary circuit pressure Primary cold leg temperature Primary hot leg temperature Shut-down boric acid concentration Fresh steam pressure Fresh steam mass flow Fresh steam temperature Value 1,485 MW 40,800 m3/h 123 bar 267 C 297 C 13.5 g/kg 46 bar 1,467 t/h 260 C

1.1.5

Dates of commissioning
Unit 1: Unit 2: Unit 3: Unit 4: December 28, September 6, September 28, August 16, 1982 1984 1986 1987

The individual units were first connected to grid between 1982 and 1987 as follows:

1.1.6

Characteristics of the spent fuel pools

To store spent fuel, a spent fuel pool is provided in each unit directly beside the reactor pit. The pool, which is open during refuelling, is connected through a transport passage to the refuelling pool (the area above the open reactor). Outside of fuel manipulation periods, the top of the spent fuel pool is covered and it is isolated from the refuelling pool by a slide gate that blocks

CBF_EJ_Eng

2011

Page 9 of 31

TARGETED SAFETY REVIEW

Version: 1

the transport passage. This gate forms part of the hermetic confinement boundary during operation. The spent fuel pool allows storage of fuel assemblies at two different heights. The normal operational storage rack is located at the bottom of the pool with a capacity of 650 fuel assemblies and 56 hermetic casings. For short periods, a spare storage rack is positioned on top of this on the rare occasions when it becomes necessary to unload the reactor vessel completely. At other times the spare rack is stored in the reactor hall. The capacity of the spare rack is 350 fuel assemblies. The operational and spare storage racks are shown in Fig. 1.1-4.

Fig. 1.1-4:

The operational and spare storage racks of the spent fuel pool

The cooling system of the spent fuel pool consists of two loops (for built-in redundancy) with a pump and a heat exchanger in each line. During normal operation, one loop is operational and the other is on standby. The two loops can be connected with each other at both the suction and the discharge sides of the pumps. This enhances the reliability of pool cooling as the cooling function can continue during any combination of failures of one pump and one heat exchanger. Recently introduced improvements to preventive accident management measures and emergency operating procedures mean that damage to the fuel stored in the spent fuel store is highly unlikely. If there were an accident in the pool, radioactivity would be released directly to the reactor hall and from there to the environment. As a result, the effects of the release could be significant although the environmental consequences would be less severe than for a reactor accident, due to the elapsed repose period of the fuel. At the time of this report, the damaged fuel assemblies from the April 2003 fuel accident are in temporary storage in hermetic casings in the Unit 2 spent fuel pool.

CBF_EJ_Eng

2011

Page 10 of 31

TARGETED SAFETY REVIEW

Version: 1

1.1.7

External electrical connections

The electrical power generated by the plant is connected to the national power grid at 400 kV and 120 kV voltage levels. The two main transformers belonging to one unit are connected to the 400 kV substation (Fig. 1.1-5), which constitutes a nodal point of the national grid. The substation is connected to other nodal points of the national grid via 400 kV transmission lines. The reliability of the substation is a key element of plant operational safety. The primary side of the main transformers and the house-load transformers are connected directly to the circuit breakers of the generators at 15.75 kV. This makes it possible to provide house-load electrical power backwards from the national grid via the substation (e.g. for unit start-up).

Fig. 1.1-5:

The 400 kV substation

The 400 kV system powers the 120 kV substation via two booster transformers. As well as outputting the generated electricity to the national main distribution grid, the 120 kV substation is connected to the plants reserve start-up transformers, which allows the possibility of also supplying in-house consumers from the 120 kV national grid. The Paks substation is connected to the national grid (400 kV) via transmission lines heading in five different directions, and to the main distribution grid (120 kV) through the two booster transformers and then seven transmission lines. This arrangement of multiple electrical connections yields sufficient operational safety should any single transmission line fail. A map of the national grid is shown in Fig. 1.1-6.

CBF_EJ_Eng

2011

Page 11 of 31

TARGETED SAFETY REVIEW

Version: 1

400 kV single-system transmission line 400 kV line planned / under construction

400 kV double-system transmission line 400 kV transmission line operated at 220 kV

220 kV single-system transmission line 220 kV double-system transmission line

750 kV transmission line 120 kV transmission line

Fig. 1.1-6:

The Hungarian national grid

1.1.8 Differences between the units relevant to safety and the review
1. Differences in the diesel generators The diesel generators installed in the first twin unit differ from those in the second. In Units 1 and 2 there are three 15D100, 10 twin-cylinder, two-stroke, Soviet-made (Ukrainian) diesel generators installed in each unit with a nominal capacity of 1.6 MW. These can be loaded for 10 hours up to 1.8 MW. Their nominal rotation speed is 750/min, and the run-up time is 15 sec. In Units 3 and 4 there are three Ganz SEMT-Pielstik, 18-cylinder, four-stroke, four-valve, Hungarian-made diesel generators installed in each unit with a nominal capacity of 2.1 MW. Their nominal rotation speed is 1500/min, and the run-up time is 15 sec. Fig. 1.1-7 shows these diesel generators.

CBF_EJ_Eng

2011

Page 12 of 31

TARGETED SAFETY REVIEW

Version: 1

Fig. 1.1-7: 2.

The Ukrainian and Hungarian diesel generators

The status of plant modifications for severe accident management A comprehensive severe accident analysis and management program was initiated at the plant in 2008 to mitigate potential consequences of any low-probability, high-severity reactor accidents caused by circumstances not planned for in the design bases. Several design changes required for the introduction of severe accident management have already been implemented in the individual units; but, at the time of this report, the modifications have not been completed to the same extent in every unit. Table 1.1-2 gives the current status of these design changes. Table 1.1-2: Status of plant modifications for severe accident management and the schedule for implementation
Measure Plant changes for flooding the reactor vessel cavity Provision of an autonomous power supply to designated consumers Installation of passive hydrogen re-combiners Reinforcement of the spent fuel pool cooling system against loss of coolant Installation of a severe accident monitoring system Unit 1 Completed Completed Completed Nov-Dec 2011 Completed Unit 2 2012 overhaul Completed Completed Nov-Dec 2012 Jun-Aug 2012 Unit 3 2013 overhaul 2011 overhaul 2011 overhaul Feb-Mar 2013 Sep-Oct 2013 Unit 4 2014 overhaul Completed Completed Jan-Feb 2012 May-Jun 2013

3.

Location of the demineralised water storage tanks in Units 3 and 4 The demineralised water storage tanks (three 900 m3 tanks per twin unit) have an important role in maintaining the demineralised water supply required by important plant systems for cooling purposes. The tanks for Units 3 and 4 are situated directly alongside a laboratory building that is not reinforced or qualified for seismic events. The collapse of the building wall could potentially have an impact on the demineralised water storage tanks.

CBF_EJ_Eng

2011

Page 13 of 31

TARGETED SAFETY REVIEW

Version: 1

4.

Restoration of the essential service water systems Restoring the operation of the essential service water systems after a total system loss differs between the units. In Units 1 and 2 the systems are capable of filling themselves up after the restart of their pumps, but in Units 3 and 4 additional systems are needed to fill the systems before the pumps are allowed to be started.

1.2 Site-specific external natural hazards


1.2.1 Earthquakes
After preliminary studies had started in 1986, Paks Nuclear Power Plant Ltd. performed a fullscope geological, geophysical, seismological and geotechnical characterisation of the site, its vicinity, and the region, with a subsequent comprehensive probabilistic seismic hazard assessment (PSHA) between 1993 and 1995. The characterisation of the site followed International Atomic Energy Agency (IAEA) standards 50-SG-S1 (Rev1) and was supported by an IAEA Technical Cooperation Project as well as by the European Commission PHARE Project. The results of this re-evaluation demonstrated the acceptability of the site and provided the parameters for the design base earthquake (i.e. the magnitude of earthquake the plant was designed to withstand safely), approved by the Hungarian regulatory authority in 1996. The site characterisation and the assessment of seismic hazard were reviewed between 1997 and 1999 and in 2007, as part of periodic safety reviews. This took into account the results of continuous micro-seismic monitoring and new scientific evidence, especially in the area of neotectonics. The 2007 review demonstrated that the PSHA and the underlying geological, geophysical and geotechnical investigations complied with the Hungarian Safety Regulations and the IAEA norms. The design base earthquake is defined by the 10-4/year non-exceedance level on the mean hazard curve (i.e. the strength of earthquake predicted to happen only once every 10,000 years). Figure 1.2.1-1 shows the hazard curves.

Fig. 1.2.1-1: The seismic hazard curves

CBF_EJ_Eng

2011

Page 14 of 31

TARGETED SAFETY REVIEW

Version: 1

The horizontal and vertical peak ground accelerations (PGAs) are equal to 0.25g and 0.2g, respectively. This approach complies with the Hungarian regulations and international practice. The 25-30 m thick saturated young soft soil (~300m/s shear-wave velocity) that covers the eroded Pannonian surface at the site is prone to liquefaction at a depth of 10-15 m. The safety factor to liquefaction is rather low. Seismic safety provisions at the plant Paks NPP was originally not designed and qualified for earthquakes, so the safety upgrading was aimed to demonstrate plant safety at a newly defined design basis. The seismic upgrading project, which lasted from the mid 90s up until 2003, was the most extensive performed in the history of the plant. The safety level achieved was quantified by seismic probabilistic safety assessments (PSAs). The seismic upgrading project covered the identification and implementation of upgrading and qualification measures, the installation of seismic instrumentation, and the development and introduction of procedures for pre-earthquake preparedness and post-event action. The project resulted in assurance of the basic safety functions: shutdown of the reactor and maintaining it in a subcritical condition, cool-down and continuous cooling of the reactor (without time limit), and retention of radioactivity within the systems and buildings for the protection of the public and the environment. If there is an earthquake, the reactor would be shut down either by the reactor protection system due to process system malfunctions, or manually by the operator if the earthquake exceeds set criteria regarding the maximum strength permitted for safe operation. The cool-down is ensured by secondary-side bleed and feed. Continuous cooling is maintained by the heat removal system. In all redundant trains of equipment, the systems, structures and components needed for these safety functions are reinforced and qualified for a safe shutdown earthquake (SSE, i.e. the maximum strength of earthquake for which the various safety systems are reinforced to provide a safe reactor shutdown and continued reactor cooling). The systems not required for the safety functions are isolated automatically from those that are seismically qualified. The cooling technology for a potential SSE was developed assuming that the plant would be in normal operation when the event occurred, and that the outside energy supply (the grid) and make-up water source would then not be available for 72 hours. In accordance with the Nuclear Safety Regulations, all redundant safety trains have been upgraded and qualified for an SSE, including the emergency core cooling systems. Consequently, post-earthquake scenarios with loss of coolant can also be managed, even though these are beyond the design basis scenarios according to safety philosophy. The systems for heat removal from the spent fuel and refuelling pools are also reinforced and qualified for an SSE. In an emergency, the active systems cooling the pools are supplied with electrical power from diesel generators. The possibility of fires and flooding resulting from an earthquake is also avoided through the reinforcement of the relevant systems. Ongoing review activities and preliminary actions A critical aspect that requires further investigation remains the liquefaction hazard at the site, including analyses of the settlement of the buildings (with and without liquefaction), underground connections, etc. This issue is discussed further in Section 2.

CBF_EJ_Eng

2011

Page 15 of 31

TARGETED SAFETY REVIEW

Version: 1

The feasibility of implementing an automatic reactor shutdown function during the planned modernisation of seismic instrumentation is under consideration. The fire brigade plays a vital role after earthquakes, but their base building is not seismically reinforced. This issue is being investigated further. There is room for improving seismic housekeeping. The fixing of tools in place and maintenance appliances stored at the units, and the fixing of heavy tools and furniture at the maintenance shops and offices, need to be evaluated as further corrective actions.

1.2.2

Flooding

Evaluation of the hazard of flooding is based on a statistical evaluation of data collected from local water level measurement gauges. On this basis, the level of icy flooding with a frequency of 10-4 /year in the vicinity of the site would be 96.07 m above the level of the Baltic Sea, and the level of ice-free flooding would be 95.51 m. The level of the dyke protecting the site from flooding is 96.60 m, and the filling level of the site is 97.00 m. These are higher than the potential flooding levels, and so flooding need not form part of the design basis. A conservative extension of the statistics of the water levels beyond the design basis case suggests the estimated water level might potentially exceed the filling level of the site at a frequency of less than 10-4 /year. However, the dyke is lower upstream to the site and also on the eastern bank of the Danube (96.6 m), and so the river would flood the areas to the north and to the east of the site; consequently, the extreme flooding would not endanger the plant site. Flooding can therefore be excluded from the natural sources of hazard even when considering beyond design basis conditions. Ongoing review activities The review so far has covered static, slow changes in water level. Flooding due to dynamic, rapid processes also needs to be analysed. This is ongoing and the findings will be included in the final report.

1.2.3

Low level of the River Danube

To investigate the security of the cooling water supply by determining the potential extreme low levels of the river, a statistical evaluation of the collected data from the water gauges was used. According to the statistical evaluation, the low level that occurs with a frequency of 10-4 /year would be 84.65 m above the level of the Baltic Sea, incorporated in the design basis. Even lower water levels may potentially occur. The statistical evaluation gives 84.48 m at a frequency of 10-7 /year. Oscillation of the Danubes water level should be considered a natural hazard, since the loss of the essential service water system cannot be tolerated in the long term even when the reactors are shut down. The pumps for this system have to be sufficiently far below the lowest potential level of the Danube to ensure cavitation-free operation even in this extreme case. To meet these conditions, the impellers of the pumps were replaced and now the pumps can be used until the level drops to 83.50 m.

CBF_EJ_Eng

2011

Page 16 of 31

TARGETED SAFETY REVIEW

Version: 1

Ongoing review activities The statements above were based on static calculations and on the previous analyses of low water levels and drought in the Paks drainage basin. Complementary analyses are ongoing and the findings will be included in the final report.

1.2.4

Extreme weather conditions

The following weather conditions were identified at the site as potential dangerous natural events: high strength gusts of wind, extreme high and low temperatures, extreme rain, extreme snow, lightning.

Results of earlier reviews were used to evaluate the meteorological hazards. The statistical characterisation of the various events was based on adjusting theoretical (mostly Gumbel) distributions to the various datasets. Based on these adjustments, the values of the meteorological extremes that potentially occur with a frequency of 10-4 /year were identified. The extreme meteorological characteristics were estimated for frequencies down to 10-7 /year. Obviously, the estimates of meteorological characteristics for such low frequencies, based on data collected only over 50-60 years, have a significant statistical error. However, these extreme levels could significantly exceed the design basis values, and so the consequences of very low frequency events have to be considered in the review. The extreme values of the relevant meteorological parameters are as follows: extreme wind velocity: 48.8 m/s, extreme environmental temperatures: -39.6 C, and 43.0 C, extreme rainfall: 38 mm in 10 minutes, 68 mm in 60 minutes, and 320.5 mm in 24 hours, extreme snow load: 1.5 kPa, extreme lightning current: 200 kA.

1.3 Findings of earlier probabilistic safety assessments


In Hungary, as in any other country where NPPs operate, licensing is based on deterministic safety analyses, summarised in the safety analysis report. The most important factor for ensuring the safety of the plant is an adequate level of defence in depth, i.e. protection that is multi-layered and contains redundancy. The deterministic analyses are carried out with a conservatism specified in the regulations, and the results should satisfy internationally agreed acceptance criteria. Paks NPP Ltd., like any other operating NPP, has an operational licence issued by the national safety authority. The issuance of this licence confirms that the principle of defence in depth is adequately fulfilled in the plant. Since the principles behind the deterministic analyses were not questioned by the Fukushima accident, their review was not requested for the current task.

CBF_EJ_Eng

2011

Page 17 of 31

TARGETED SAFETY REVIEW

Version: 1

The deterministic analyses are well complemented by the probabilistic safety analyses (PSAs). In principle, these cover the full set of possible adverse events and processes. Their aim is to determine the frequency (probability of occurrence per year) of fuel damage (Level 1 PSA), and the frequency of a large radioactive release (Level 2 PSA). Results of the PSAs have to satisfy certain regulatory requirements. They are also useful in determining safety enhancement measures. The safety enhancement measures arising from the PSA results should increase the efficiency of defence in depth against extremely rare events beyond the scope of the deterministic analyses. The Fukushima accident called into question the completeness of PSAs. This is why the targeted safety review includes a review of PSA studies of the plant. Additionally, by definition, the targeted safety review will also cover extremely rare events and processes that have not been investigated earlier. The following statements can be made based on the results of the Level 1 PSA in Paks: The total core damage frequencies (CDFs) representing the scope of the available PSA studies for the individual units of Paks NPP are lower than the target value specified in state-of-the-art international guidance, i.e. the quantitative criterion for CDF has been met. No single system, structure or component can be identified as making a dominant contribution to the CDF value, i.e. the risk can be considered to be balanced over the underlying contributors. The quantitative results indicate that, of the initiating events, earthquakes make the largest contribution to risk, and human error is the most important basic event from the point of view of core damage frequency. A number of safety upgrading measures have been implemented to reduce the effect of the most important contributors to risk. These measures include extensions to the scope of seismically qualified electrical and instrumentation and control components, the development of new procedures and operator guidelines to support emergency operations, etc. The following statements can be made based on the results of the Level 2 PSA in Paks: The frequency of a large off-site radioactivity release due to internal events, fire or internal flooding at full power operation corresponds closely with the risk figures estimated internationally for pressurised water reactors of the same vintage. Early containment failure was found to be a relatively important contributor to the frequency of off-site release. Measures have therefore been implemented for hydrogen treatment in the event of a severe accident. In order to arrest the core meltdown process within the reactor and to prevent base mat melt-through, a new accident management procedure is being implemented for cooling the reactor vessel externally by means of flooding the reactor cavity. Much attention has been paid to the management of accidents in the shutdown state when the reactor vessel is open for refuelling. The emergency operating procedures have been extended to low power and shutdown conditions, and the severe accident management guidelines address severe accidents in these conditions. The risk of off-site release due to a seismic event is reduced mainly by reducing the frequency of severe accidents and containment isolation failures. Accident mitigation is also important for seismic accidents, especially hydrogen treatment in severe accident conditions.

CBF_EJ_Eng

2011

Page 18 of 31

TARGETED SAFETY REVIEW

Version: 1

From the results of the spent fuel pool PSA it can be stated that the frequency of fuel damage is acceptably low. Despite the low risk estimates, a number of measures have been taken to prevent fuel damage in the spent fuel pool as the open pool directly communicates with the atmosphere of the reactor hall. These measures are aimed mostly at improving the reliability of the cooling circuits connected to the spent fuel pool. Some further actions are seen as necessary in relation to the plant PSA: the scope of the PSA studies should be broadened to include external events other than earthquakes, the PSAs should be updated to reflect the effect of measures taken and guidelines introduced for severe accident management.

CBF_EJ_Eng

2011

Page 19 of 31

TARGETED SAFETY REVIEW

Version: 1

2. Review results
The Hungarian Atomic Energy Authority required the review of two key potential events: long-term (several-day) loss of the electricity power supply, loss of the ultimate heat sink. For both areas, five main topics needed to be reviewed: overview of relevant plant systems, their adequacy and their compliance with the design basis, potential internal causes of the key events, potential external causes of the key events, robustness, margins and protection against external events that exceed the design basis, accident prevention activities for each key event. Neither the total loss of electrical power supply nor the loss of the ultimate heat sink were taken into account in the design basis due to their very low likelihood. Nevertheless, we needed to assess these two key events in the targeted safety review as without electrical power or cooling water it is not possible to maintain the reactor and spent fuel pool cooling. These events are interrelated. The operation of the emergency electrical power supply sources (the diesel generators) cannot be maintained for long periods without essential service water, but the water pumps are powered from the diesel generators under emergency situations. Again, it should be emphasised that the likelihood of losing any one these systems is extremely small, far below the design basis limits. (Potential corrective actions to resolve the issue are detailed later.) As review activities for the two main key events are very similar, some common statements can be made before considering each individually. Ongoing review activities common to the two key events In the review of potential internal causes of the key events, the root causes deriving from operations, maintenance, human, documentation and organisational errors, and the effects of these, are still being investigated. Regarding external causes, we identified that the effects of some potential meteorological conditions (taken into account in the design basis) had not been considered sufficiently in the previous analyses. Although we had identified these extreme events, the plant systems, structures and components (SSCs) potentially affected by them had not been investigated to the required level of detail. A systematic review that will list the affected SSCs and define the effects of the extreme external events on them was therefore initiated in the last periodic safety review. This comprehensive system review is ongoing and cannot be finished by the conclusion of the targeted safety review. As a consequence, the final report will describe the results achieved by that time and will set out future tasks for this area. The building settlement analyses performed recently show large uncertainty in their prediction of building settlement in the case of an earthquake (with and without soil liquefaction). The settlement caused by an earthquake can affect the underground connections (service water piping and emergency power supply cables) due to relative displacements. A new analysis has to be performed for the proper assessment of the issue and to identify any corrective measures (additional qualifications or modifications).

CBF_EJ_Eng

2011

Page 20 of 31

TARGETED SAFETY REVIEW

Version: 1

It is also necessary to characterise safety margins for weather conditions that may cause extreme loads on plant structures and systems beyond those taken into account in the design basis. This analysis is part of the risk assessment for natural external events currently in progress. The analysis is due to be completed by December 2012.

2.1 Long-duration total loss of the electrical power supply


Relevant plant systems are: the 400 kV and 120 kV substations, the emergency diesel generators, and the AC and DC electricity distribution systems, including plant batteries. According to the results of the safety analyses made for the diesel generators and electricity distribution systems, the reliability of the components and the architecture (the applied principles of redundancy, independence and self-diagnosis) ensure the required high level of availability. Each unit has three identical and fully independent trains of these safety systems, from which one single train is sufficient to provide the required safety functionality (reactor and spent fuel pool cooling). Because of the applied redundancy and separation, a single failure in one train or in any connected auxiliary system cannot lead to the loss of the safety function regardless of the type of initiating event. All the safety electrical power supply SSCs are qualified and reinforced where needed for a safe shutdown earthquake. Seismic qualification of the supporting systems e.g. the fuel and service water supplies, relay logics, cabling, and building structures have been reviewed and found to be adequate. Interactions and the possible fires and floods caused by the earthquake are avoided through reinforcing the interacting SSCs. As described in Sections 1.2.2 and 1.2.3, flooding and low water levels do not need to be considered as potential external hazards for the electrical power supply systems. Regarding extreme weather conditions, the ongoing system review described in the introductory part of Section 2 will provide the required results. It can be stated for Paks NPP that the alternative and already proved off-site electrical power supply routes would guarantee power supply for consumers important to safety should all four units be shut down. The external supply can be provided in a redundant manner via two independent and physically separated electrical networks. Even if the national grid collapses, there are two dedicated transmission lines that connect the plant to two remote, conventional power plants with gas turbines for resolving the blackout situation. The safety margins of the power supply function in withstanding earthquakes beyond those taken into account in the design basis have been assessed. From this, it can be concluded that such an earthquake would not necessarily lead to the loss of power supply systems. However, the probability of power supply failure naturally increases with earthquake intensity. For lower seismic acceleration ranges, the dominant form of seismic damage would be the massive liquefaction causing subsidence of the main building complex. The safety margins against beyond design basis earthquakes can be improved substantially by establishing or upgrading protection against the consequences of liquefaction. This issue was covered in Section 1.2.1 and in the introductory part of Section 2. In accordance with the aims of the targeted safety review we have assessed and evaluated all preventive accident management possibilities that might be used at the plant during a long-

CBF_EJ_Eng

2011

Page 21 of 31

TARGETED SAFETY REVIEW

Version: 1

lasting loss of internal and external electrical power supply sources. These would be primarily to avoid core damage or to halt extensive core melt processes and to prevent containment damage. Preliminary findings and ongoing review activities An increase in the quantity of diesel fuel stored at the site may be recommended to increase the current 120-hour operating time of the emergency diesel generators. The installation of additional, full function emergency/maintenance diesel generators should be considered. The concept, already accepted, of installing a full function maintenance diesel generator should be reassessed and the generators planned function should be extended to emergency situations. The concept should take into account the occurrence of severe accidents simultaneously in several units and several cooling pools. Installation of these severe accident diesel generators in each twin unit or even each unit should be investigated. Appropriate protection should be provided for these machines against external hazards, earthquakes and flooding. They should be totally independent from the plant cooling water systems. Regarding available on-site connections between the units at 6 kV AC, the possibilities for alternative, unused power supply routes are much better than previously thought. It is necessary to draw up operational procedures for testing and then using these connections. The high-voltage substations are not safety systems and, therefore, the applied redundancy is only twofold. As they may play an important role in powering the plant in-house systems from the national grid and in providing electricity via crossconnections from one unit to another, seismic qualification and/or reinforcement of the substations may be considered. It is recommended that a black-start capability to the Litr gas turbine (an off-site gas turbine located remotely) is created, which can provide external electrical power to Paks NPP via a dedicated transmission line if the national grid collapses.

2.2 Loss of the ultimate heat sink


The ultimate heat sink for Paks NPP is the River Danube. A chain of several plant systems provides the connection between the river and the crucial heat sources, i.e. the reactor and the spent fuel pool. The relevant plant systems for the review of the loss of ultimate heat sink function are: the essential service water system, the demineralised water system, the auxiliary feedwater system, the emergency auxiliary feedwater system, and the spent fuel pool cooling system.

The design of these systems followed the concept of defence in depth. The principles of redundancy, independence and self-diagnosis that were applied ensure the required high level of availability. Depending on the importance of the system, the redundancy is either two- or threefold. Because of this redundancy and separation, a single failure in a single branch, or in

CBF_EJ_Eng

2011

Page 22 of 31

TARGETED SAFETY REVIEW

Version: 1

any connected auxiliary system, cannot lead to the loss of the safety function, regardless of the initiating event. The seismic safety of the SSCs required for removing heat from the reactor and spent fuel pool and transferring the heat to the ultimate heat sink has been reviewed. For completeness, the functioning of the SSCs in the whole heat transfer path were considered and were found to be adequate. Certain parts of the system do not need to function after an earthquake. These are not reinforced and are isolated from the seismic-proof parts with fast shutdown valves should the acceleration level measured in the base mat of the plant exceed the trigger level (0.05g in any direction). The buildings that house the cooling systems, piping and all other relevant system components are reinforced for an SSE. The functions of the supporting systems, such as the emergency power supply, are also ensured as described in Section 2.1. Cooling of the spent fuel pool is ensured by two cooling loops and the essential service water system. The reactor hall and its roof, the reinforced concrete structures of the main building surrounding the pools, and the structure of the pools (including hatches and liners) have sufficient capacity to sustain the SSE loads. As described in Section 1.2.2, flooding need not be considered as a potential external hazard for the ultimate heat sink functions. An appropriate action plan is in force for low water levels of the River Danube. This issue was addressed in Section 1.2.3. For extreme weather conditions, the results required will be provided by the ongoing system review described in the introductory part of Section 2. The safety margins of the ultimate heat sink function in withstanding earthquakes that exceed those planned for in the design basis have been assessed. From this, it can be concluded that such an earthquake would not necessarily lead to the loss of systems necessary to ensure heat removal towards the ultimate heat sink. However, the probability of ultimate heat sink failure naturally increases with earthquake intensity. For the lower seismic acceleration ranges, the dominant form of seismic damage is the massive liquefaction causing subsidence of the main building complex. The safety margins against beyond design basis earthquakes can be improved substantially by establishing or upgrading protection against the consequences of liquefaction. This issue is covered in Section 1.2.1 and in the introductory part of Section 2. In accordance with the targets of the review, we have assessed and evaluated all preventive accident management possibilities that might be used in Paks NPP if the ultimate heat sink function were lost. These would be primarily to avoid core damage or to halt extensive core melt processes and to prevent containment damage. Preliminary findings and ongoing review activities If there is a loss of off-site power and a shutdown of all four reactors, the drum filters on the Danube water intake would stop as they are powered from non-safety electricity supply systems. After a considerably long period, these filters may become clogged and may endanger the supply of essential service water (and demineralised water). This should be avoided and the appropriate corrective action is being investigated. The demineralised water tanks in Units 3 and 4 are sited alongside a laboratory and service building. This building is not safety related and is not reinforced for an SSE. Damage to this building could impact the tanks. The necessary protective action is currently under review.

CBF_EJ_Eng

2011

Page 23 of 31

TARGETED SAFETY REVIEW

Version: 1

There is a diesel generator-driven firewater pump station at the plant. This could provide additional cooling water at a quantity of ~ 2x2,000 m3 from the fully closed discharge water canals of Units 3 and 4. For this, the removal of the retention edge of a pit and the installation of a closing valve are needed. A specific solution is being investigated. There are nine high-diameter, 30 m-deep coastal filtration wells equipped with submersible pumps in the Danubes bank with a practically unlimited water supply. This pump-station is connected to the essential service water system. The capacity of the pump station (500-700 m3/h) might be sufficient for the required minimum cooling water demand of all four units. However, this pump station receives its electrical power from non-safety sources, and it becomes inoperable during a total blackout. The installation of a fixed or mobile diesel generator to supply the ~ 400 kW electricity directly is under review. How other water sources around the plant could be used for additional water supply is being investigated. An appropriate solution might be the creation of mobile water extraction from the River Danube or from the fishing lakes located in the vicinity. The length of the mobile pipelines and how many pumps will be required in order to achieve the necessary delivery head are also being assessed, as are the potential connection points. The way to install pipelines between connection points in the plant yard area and the containment (possibly connecting inside to the emergency feedwater system) is under consideration. This would create the possibility of supplying cooling water to the steam generators when they are at low pressure. A potential source of water is also being investigated. A system for the secondary side blow-down of the steam generators to the containment is now installed, and this new system can serve as a line to feed cooling water into the containment. The method for powering and opening the new steam generator blowdown valves must be established and controlled by appropriate procedures. This method would also require a solution for borating the water supplied to the containment. The loss of the essential service water system would result in the loss of cooling of the spent fuel pool. Possible ways of supplying external water to the cooling pools is under investigation. The new water supply route must be protected from the external hazards that caused the severe accident. The system will have to remain operable under harsh radiation conditions. Boration of the water supplied to the cooling pool via the new pipeline will also have to be resolved. Specific tasks will be assigned in the final report.

2.3 Vulnerability of the containment function to external events that exceed those in the design basis
This section which will be completed for the final report in October 2011 will present the risk of losing containment integrity due to various levels of external events that exceed those planned for in the design basis. The margins of the systems and structures that ensure the containment function during such events are currently under thorough review. The margins are determined in the same manner as in Sections 2.1 and 2.2.

CBF_EJ_Eng

2011

Page 24 of 31

TARGETED SAFETY REVIEW

Version: 1

2.4 Severe accident sequences leading to significant radioactive releases


The aim of this review task was to consider whether the analyses performed so far cover the entire set of potential severe reactor and spent fuel accidents. Furthermore, it was necessary to investigate whether the following events may occur as a consequence of the key events or other causes: steam explosion in the reactor pressure vessel, deflagration/detonation of hydrogen generated in a severe accident, fuel damage due to a severe accident in the spent fuel storage pool, large radioactive release from waste storage or other systems containing radioactive materials, containment damage due to hydrogen deflagration, high-pressure vessel failure, steam explosion outside the pressure vessel, or slow overpressurisation. The review determined that the previous analyses were sufficient to cover the full scope of potential severe accident cases. The risk is within the requirement limits and complies with internationally accepted levels. The progression of severe accidents after a total station blackout is considered in this section. As the loss of electrical power also involves the loss of the ultimate heat sink, the sequences cover the key scenarios taken into account in the report. The timing of main events, such as core uncovery, fast cladding oxidation, fuel melting and core support plate failure, is presented along with the key thermal-hydraulic parameters of the accident. The time until the core melt starts is calculated to be more than 8 hours. Primary system pressure reduction, as an accident management measure, would allow subsequent interventions and prevent high pressure melt ejection from the reactor vessel. However, the vessel would later fail at a lower pressure level about 11 hours after the accident unless further accident management actions, such as external cooling of the reactor vessel, were taken. The necessary plant modifications are described in Section 2.5. A large amount of hydrogen from the Zr-H2O reaction is generated during core heat-up and meltdown. The concentrations of hydrogen in various parts of the containment have been obtained from 3D calculations that assume operation of the installed severe accident hydrogen recombiners. Hydrogen combustion calculations show that hydrogen burns in the containment are still possible for a limited period of time, but their intensity does not threaten containment integrity. Fuel-coolant interactions, also called steam explosions, are considered internationally to be among the potentially severe accident phenomena. According to the studies carried out, invessel steam explosions do not represent any real challenge for the Paks reactors. Ex-vessel steam explosions are prevented by in-vessel core retention via external cooling of the reactor. During the course of a severe accident, containment pressure would increase as a result of the steam released during the external cooling of the reactor vessel. The rate of pressure rise would depend on the actual leakage rate of the containment. This sequence leading to slow overpressurisation should be prevented by containment venting through a ventilation system. More details of the planned design change can be found in Section 2.5.

CBF_EJ_Eng

2011

Page 25 of 31

TARGETED SAFETY REVIEW

Version: 1

Preliminary findings and ongoing review activities The spent fuel pools are situated in the reactor hall. Since the reactor hall is not a confined volume, any accident involving spent fuel damage could result in significant radioactive releases. However, based on analyses, the timeframe of development of a severe accident in the spent fuel pool is very long due to the available water supply and relatively low decay power in it. A broad range of accident management measures are therefore available to recover spent fuel cooling. The severe accident mitigation procedures after the occurrence of an accident in the pool have not yet been established. In earlier analyses the calculation of the total hydrogen concentration in the reactor hall was based on an accident in only one single reactor or one single spent fuel pool. It was determined that the concentration of the accumulated hydrogen definitely did not reach the ignition level. In the ongoing review, the analysis is extended to identify the quantity of hydrogen and its spatial distribution during an accident involving two spent fuel pools, one open and one closed reactor simultaneously. The previous analyses showed no significant radioactivity release in the case of a failure of or an accident in the radioactive waste storage systems. This issue is currently being analysed further.

2.5 Accident management mitigating the consequences of uncontrolled key events


The aim of this review task was to assess the adequacy of mitigative measures, taking into consideration the Fukushima experience (including long-term processes and the difficulties related to the recovery of instrumentation and control systems). It was necessary to investigate whether cliff-edge phenomena could be avoided by the accident management measures implemented at Paks NPP. The objectives of severe accident management strategies are either to prevent the occurrence of accident sequences or to mitigate their consequences and, eventually, achieve a long-term stable state for the plant. The strategies were developed on the basis of the Level 2 PSA study, evaluating the major challenges for the plant. Mitigative severe accident management includes several main strategies: Prevention of high-pressure reactor vessel failure; Prevention of reactor vessel failure; Maintaining containment integrity; Limitation of radioactive releases.

The implementation of the strategy includes two key elements: on the one hand the installation of hardware components for performing severe accident management, and on the other the implementation of severe accident management guidance. Hardware components put in place for severe accident management include: External cooling of the reactor vessel through flooding the reactor cavity with the coolant drained from the localisation tower; Installation of passive autocatalytic recombiners for severe accident hydrogen management;

CBF_EJ_Eng

2011

Page 26 of 31

TARGETED SAFETY REVIEW

Version: 1

A dedicated instrumentation system for severe accident monitoring; A dedicated diesel generator for the energy supply of severe accident management hardware components; Reinforcement of the spent fuel pool cooling system against loss of coolant. These systems have been installed in Unit 1 and their installation is underway in the other units. Table 1.1-2 provides a summary of the current status of implementation. The other key element of the strategy is the development of accident management guidelines to provide the plant crew with appropriate guidance for mitigating the consequences of severe accidents that impact the reactor or the spent fuel pool and lead to large releases. The overall goal of the guidance is to return the plant into a controlled, stable condition with termination or significant reduction of the levels of radioactive material release. These guidelines have now been developed and they are expected to be introduced into plant operation at the beginning of 2012. Preliminary findings and ongoing review activities The consequences of slow over-pressurisation of the containment after a severe accident have now been analyzed further and countermeasures identified. Currently two concepts seem realistic: Filtered venting of the containment (the basic technical concept has already been elaborated for this option); Long-term cooling of the containment (optionally with an external cooling water feed).

2.6 Site emergency procedures for consequences of uncontrolled key events


managing

the

The aim of this review task is to assess the adequacy of measures related to the management of site emergencies in connection with severe accident management. The review had to cover: organisational preparedness, potential access to off-site support, the operability of mobile equipment, possibilities for re-supply (of fuel, drinking water, food, etc.), the adequacy of internal and external communication and information systems.

The assessment had to consider special emergencies where the infrastructure and communications were severely damaged or destroyed due to external events. The scope also covers situations where the working conditions at the site seriously deteriorate due to radiation/contamination or destruction, and long-term defence is needed. The assessment had to consider situations where several units and auxiliary buildings used by the emergency response team were damaged. The efficiency of decision-making, the operability of the emergency response organisation, and the possibilities of involving external resources had also to be reviewed. As a preliminary result, it has been concluded that the necessary personal and material prerequisites and resources for managing nuclear and traditional emergencies are basically at the disposal of Paks NPP.

CBF_EJ_Eng

2011

Page 27 of 31

TARGETED SAFETY REVIEW

Version: 1

The plants intervention capabilities during severe accidents and other emergencies correspond with international recommendations and the Hungarian regulations. Emergency preparedness has been adequately designed and tested. The preparedness covers both nuclear and other emergencies. The alarm system for activating the emergency response organisation has been properly designed. Education, training and tests ensure the maintenance of intervention capability during normal periods. For managing emergencies, Paks NPP established an Emergency Response Organisation. This organisation is activated whenever an emergency situation is declared and works in accordance with predefined rules and control. The buildings and equipment needed for efficient emergency management are at the disposal of the plant and are continuously maintained and modernised. Analyses for estimating radioactive releases during various accidents are available. The availability of certain buildings and equipment during emergencies is being investigated further. Conditions for long-term intervention capabilities are well designed and ensured; however, some details require further investigation. The protected buildings and systems needed for emergency management have their own energy resources. The critical equipment have uninterruptible power supplies (UPSs) and so the devices needed for emergency management can continue to be used when the electricity supply is lost. If the Protected Management Centre is lost, control should revert to the Reserve Management Centre. Here the conditions for control and communication are limited but the basic activities can be maintained. In order to review the potential use of external resources, further information has been requested from the National Directorate for Disaster Management, the Hungarian Army, companies providing communication services. The review process is currently ongoing in various ways and will be completed by the time of the final report.

CBF_EJ_Eng

2011

Page 28 of 31

TARGETED SAFETY REVIEW

Version: 1

3. Executive summary
Following the accident that occurred in the Fukushima NPP in Japan on March 11, 2011, European countries decided to carry out targeted safety reviews in their NPPs. On May 2, 2011, the Hungarian Atomic Energy Authority (HAEA) initiated a targeted safety review of Paks NPP and issued a document on the requirements of the investigation. The reference date of the investigation is June 30, 2011. Proposals have to be set out for addressing any eventual deficiencies found during the investigation. Paks NPP started the review on this basis. A Progress Report had to be prepared (in Hungarian) by August 15, 2011, the contents of which are summarised in this report. Section 1 presents the most important characteristics of the site and the plant, covering a basic description of relevant plant characteristics, external hazards of natural origin and a summary of the results of earlier probabilistic safety assessments (PSAs). The following conclusions can be drawn from Section 1: With respect to external events of a natural origin: The earthquake risk has been explored in detail and is well established. The plant is properly protected against earthquakes by the establishment and introduction of a comprehensive seismic protection concept and corresponding reinforcements; Soil liquefaction and the potential settlement of buildings need to be investigated further; Flooding of the site need not be considered for the review scope due to the specificities of the site; An extreme low level of the River Danube would be managed safely by the measures introduced; The evaluation of extreme events from other external causes is ongoing, but these are unlikely to endanger the safety of the plant. Following an extremely large earthquake, the long-term loss of the electricity supply and/or the ultimate heat sink cannot be excluded, but other external hazards are highly unlikely to lead to such events. The extreme external conditions experienced in Fukushima and the accident sequences they caused are unlikely at the Paks site. With respect to the probabilistic safety assessments (PSAs): The basic technical background for licensing nuclear power plants is provided by deterministic safety analyses. These prove that the safety of the plant satisfies all the regulatory requirements and specifications. The probabilistic assessments provide further useful information which can be used complementarily for improving safety. These assessments have led to many safety improvement measures in recent decades, including the preventive and mitigative management of accidents. In the current state of the plant, PSAs present a favourable picture. The safety improvements related to mitigative accident management have been completed for Unit 1 and are ongoing in the other units. As with any other NPP, the scope of PSAs can be continuously extended to safety components not previously considered, based on operational experience and new scientific results.

CBF_EJ_Eng

2011

Page 29 of 31

TARGETED SAFETY REVIEW

Version: 1

Section 2 presents the aims, scope and preliminary conclusions of the targeted safety review. HAEA required the investigation of two key events: long-term (several-day) loss of the electricity supply, loss of the ultimate heat sink. Since the severe accidents that lead to significant radioactive releases and their management at the site are essentially identical for these two key events, the related consequences (including the development of accidents with significant radioactive releases) are presented together. Section 2 consists of six sections: 2.1 Long-duration loss of the electrical power supply; 2.2 Loss of the ultimate heat sink; 2.3 Vulnerability of the containment function due to external events that exceed those planned in the design basis; 2.4 Severe accident sequences leading to large radioactive releases; 2.5 Accident management mitigating the consequences of uncontrolled key events; 2.6 Site emergency procedures for managing the consequences of uncontrolled key events. Sections 2.1 and 2.2 are devoted to the two important key events that were the direct causes of the Fukushima severe accident. These two sections have an identical structure. After reviewing the design basis, the internal and external causes of the key event are discussed, and then protection against external events that exceed the design basis and accident prevention activities are presented. In Section 2.3 (under development in the present phase) it will be considered whether the containment function preventing the release of radioactive materials into the environment would remain intact following external events that exceed the design basis and eventually result in the release of radioactive materials from the reactor. The key events may eventually lead to severe accidents (in circumstances presented in Sections 2.1 and 2.2), which are discussed in Section 2.4. In the case of a severe accident, the plant aims to control the event sequences through mitigative accident management (Section 2.5), and tries to prevent catastrophic consequences through emergency response measures (Section 2.6). The basic statements of the performed review are given together with the preliminary recommendations in every section. The analyses and investigations to be completed by the finalization of the targeted safety review or later are also listed at the end of the corresponding section.

CBF_EJ_Eng

2011

Page 30 of 31

TARGETED SAFETY REVIEW

Version: 1

List of abbreviations
Abbreviation CDF HAEA IAEA NPP PGA PSA PSHA SSCs SSE VVER Meaning Core damage frequency Hungarian Atomic Energy Authority International Atomic Energy Agency Nuclear power plant Peak ground acceleration Probabilistic safety assessment Probabilistic seismic hazard assessment Systems, structures and components Safe shutdown earthquake Pressurized water reactor of Russian design

CBF_EJ_Eng

2011

Page 31 of 31